Support – Knowledge Base

How to secure Magmi on Magento

Magmi is a Magento mass importer. It’s an alternative product importer offering better performance over the default Magento importer. It doesn’t have authentication of its own, making it a dangerous tool as it effectively offers full access to your Magento webshop database. This article helps you securing your Magmi module against hackers.

What is Magmi for Magento?

Magmi, the magento mass importer, is an alternative product importer offering better performance over the default magento importer. This makes it a very powerful yet also dangerous tool as it effectively offers full access to your magento webshop database.

We have noticed a number of our customers have installed Magmi without properly securing their Magmi installation, opening up their webshop to being exploited by nefarious actors.

What is the security problem and what are the consequences?

If you use Magmi in a non-secure way, you will actually be granting others access to your Magento database. This would mean that your shop could be easily abused by malicious people. They could, for example, add admin users and change products, as well as upload insecure files.

A recent well-known Magmi Magento hack was the credit card collection hack that forwarded all payment details of paying customers to the hacker. You can read the full story on Sucuri’s blog.

How do I secure Magmi on my Magento webshop?

Securing Magmi on your Magento webshop is done via SSH.

Log on to your SSH server with your credentials. Byte customers can find their credentials in their Service Panel.

To protect your Magmi installation with HTTP basic authentication, use the following:

Be sure to replace a.b.c.d with the IP address you wish to whitelist. (Note: You can add as many allow directives as you would like.)

Adjust the web server configuration in such a way that the Magmi directory cannot be accessed by visitors who should not have access to it. You can do this by white listing IP addresses or a directory password security.

Allowing Magmi module access to a limited set of IP’s

To allow the Magmi directory only to a few IP’s use the following snipplet in /data/web/nginx/server.blacklist

Accessing Magmi for Hypernode users

Need help?

Magento is no easy open source CMS. Although we’re very skilled in hosting Magento shops, making them fast and keeping conversion high, we’re no Magento developers. Luckily, we know a lot of agencies that do know a lot about how Magento works. If you need help, don’t hesitate to contact one of these agencies.